Co-maintainer here: we also did this cool thing where we reused the same go codebase across our clients. We have a go package called olm (on our Github and following our animal theme) that implements all of the VPN capabilities. It creates the tunnel, monitors the peers, syncs with the Pangolin server. This itself is a binary that can run on its own as like our own little VPN kernel module - then in the different applications we use olm to trigger the tunnel. This is easy on Windows as the whole app is go based, but on Android, Mac, and iOS we use C bindings to compile it as a shared library into the application. Then the native application imports parts of the module to initiate the tunnel and handle the tunneling. On iOS and Macos this is handled in a "Network Extension" which is a secure environment Apple runs tunneling applications in, so we use a unix socket to communicate with the olm tunneling kernel to show status to the user and handle commands.
I was thinking of using this to tunnel all of my public sites, do hide my home ip. But in the end whats the issue of showing my home ip? The attack surface stays the same. I just reverse proxy everything through Caddy.
Also weren’t some feature gated behind the cloud version? An appeal for this to replace cloudflare tunnels and tailscale funnel is the _fully_ opensource aspect
Hiding an IP and security are not necessarily the main use cases.
The tunneled reverse proxy aspect comes in handy when trying to expose internal apps on a network behind a hard NAT where ports can't be opened and a public IP address isn't available (like CGNAT).
Pangolin is also a VPN like Tailscale/Twingate/etc, so you can access non http resources via a direct connection via WireGuard and NAT traversal.
Thank you, great product, can only recommend it! I've been self-hosting it since last year to access my jellyfin home-server from the web. Set up was easy and I never had any issues.
Traditional reverse proxies require a public IP and open firewall ports. Pangolin uses a tunneled reverse proxy to expose resources behind restrictive firewalls without those requirements.
A single Pangolin server can tunnel to multiple remote networks, centralizing apps from different locations into one place. It also includes VPN clients and handles NAT traversal as an alternative to traditional VPNs for direct connections.
> The Enterprise Edition is also open-source under the commercial license which enables free personal/small business use.
Open Source can be pair or commercial. But the license of these software Enterprise Edition, called "Fossorial Commercial License", is not Open Source.
You tell who and how can use the software after the share/sell and call it Open Source.
The main site also advertises "Self Host: Enterprise Edition" as being "100% Open Source" which is simply not true and false advertising.
Pangolin is dual licensed under the AGPLv3 and the Fossorial Commercial License. The community edition includes no commercial license code and is fully AGPL compliant. The enterprise edition is also free to use for personal use.
Yes but enterprise edition seems to be falsly advertised on the main site as open source. And the community and enterprise editions are mixed in the source code making compilations of community edition complicated.
I've maintained this list the last several years: https://github.com/anderspitman/awesome-tunneling
Pangolin has quickly risen almost to the top since being released. It's very well loved by /r/selfhosted.
Co-maintainer here: we also did this cool thing where we reused the same go codebase across our clients. We have a go package called olm (on our Github and following our animal theme) that implements all of the VPN capabilities. It creates the tunnel, monitors the peers, syncs with the Pangolin server. This itself is a binary that can run on its own as like our own little VPN kernel module - then in the different applications we use olm to trigger the tunnel. This is easy on Windows as the whole app is go based, but on Android, Mac, and iOS we use C bindings to compile it as a shared library into the application. Then the native application imports parts of the module to initiate the tunnel and handle the tunneling. On iOS and Macos this is handled in a "Network Extension" which is a secure environment Apple runs tunneling applications in, so we use a unix socket to communicate with the olm tunneling kernel to show status to the user and handle commands.
Congrats on progress.
These are differentiating from most VPN and zero trust:
+ fully self-hostable open source
+ avoid ACL complexity (default closed architecture)
+ sovereign identity-based
OpenZiti is similar in those – how do you compare and contrast the two since very few others share those differentiators (I am an OZ maintainer)?
I was thinking of using this to tunnel all of my public sites, do hide my home ip. But in the end whats the issue of showing my home ip? The attack surface stays the same. I just reverse proxy everything through Caddy.
Also weren’t some feature gated behind the cloud version? An appeal for this to replace cloudflare tunnels and tailscale funnel is the _fully_ opensource aspect
Hiding an IP and security are not necessarily the main use cases.
The tunneled reverse proxy aspect comes in handy when trying to expose internal apps on a network behind a hard NAT where ports can't be opened and a public IP address isn't available (like CGNAT).
Pangolin is also a VPN like Tailscale/Twingate/etc, so you can access non http resources via a direct connection via WireGuard and NAT traversal.
Really cool product, impressive how much you've built and the usage you've attained in a short period of time
Thanks! :)
Thank you, great product, can only recommend it! I've been self-hosting it since last year to access my jellyfin home-server from the web. Set up was easy and I never had any issues.
What are the advantages of this setup rather than reverse proxying right where your jellyfin is?
Traditional reverse proxies require a public IP and open firewall ports. Pangolin uses a tunneled reverse proxy to expose resources behind restrictive firewalls without those requirements.
A single Pangolin server can tunnel to multiple remote networks, centralizing apps from different locations into one place. It also includes VPN clients and handles NAT traversal as an alternative to traditional VPNs for direct connections.
I replaced CF tunnels, which kept disconnecting every few minutes with it, and happy.
> The Enterprise Edition is also open-source under the commercial license which enables free personal/small business use.
Open Source can be pair or commercial. But the license of these software Enterprise Edition, called "Fossorial Commercial License", is not Open Source. You tell who and how can use the software after the share/sell and call it Open Source.
The main site also advertises "Self Host: Enterprise Edition" as being "100% Open Source" which is simply not true and false advertising.
Pangolin is dual licensed under the AGPLv3 and the Fossorial Commercial License. The community edition includes no commercial license code and is fully AGPL compliant. The enterprise edition is also free to use for personal use.
Yes but enterprise edition seems to be falsly advertised on the main site as open source. And the community and enterprise editions are mixed in the source code making compilations of community edition complicated.
It's how commercial software tries to get big and a lot of undeserved, free goodwill these days.